Financial adviser working at desk
Compliance
5 min read

GDPR and Email: Ensuring Financial Comms Remain Compliant

Since coming into play in 2018, the EU General Data Protection Regulation (GDPR) has been a firm piece of legislation for safeguarding personal information. The way we handle data has changed as a consequence, affecting how businesses and consumers communicate.

As identity theft and cyberattacks grow more numerous, compliance with GDPR has never been more imperative. With banks and other financial institutions dealing with larger quantities of data than most other sectors, it is even more fundamental that GDPR is adhered to at every stage, especially when communicating digitally. Before we explore this point further, let's start with a brief recap on the basics of GDPR.

 

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s privacy law, coming into effect on May 25th, 2018. It applies to all companies that sell to and store personal information about citizens in Europe.

When considering what ‘personal data’ encompasses, common aspects that need protecting are individuals’ names, email addresses, social networking details, bank information, medical history and location.

The overall aim was to give individuals greater control over their data, with their rights now being:

  1. The right to access- individuals can request to see their data and ask how it has been used by the company in question.
  2. The right to be forgotten- If a consumer is no longer classified as a customer, or they decide to withdraw content from a company, their data must be deleted.
  3. The right to data portability- Individuals can now transfer their data from one service provider to another.
  4. The right to be informed- Consumers must be told before any of their information is collected, giving them the option to opt-in.
  5. The right to have information corrected- Out of date or incorrect data can be altered by the individual it is regarding.
  6. The right to restrict processing- Consumers can state that they do not want their personal information used for processing purposes.
  7. The right to object- Consumers can, at any time, stop the processing of their data for direct marketing.
  8. The right to be notified- all affected individuals must be notified of a data breach within 72 hours of becoming aware of the incident.

 

How does GDPR affect financial organisations?

Now that consumers have been placed in the driving seat when it comes to their data, what does this mean for businesses? Contrary to common misconception, GDPR isn’t just an IT issue – it has broad-sweeping consequences that impact entire companies.

Firstly, non-compliance has become a costly venture. For firms that fail to meet the basic principles of GDPR, fines of €20 million or 4% of global revenue (whichever is greater) may be imposed. This offers a rather large deterrent for those who might have considered sticking to pre-GDPR functionality.

Companies now have an obligation to take greater accountability for the data under their care, putting new and fundamental processes into play that ensure the privacy of their customers' personal information.

For financial firms, a clear data management strategy must be adopted to effectively execute against GDPR requirements, covering aspects such as data tagging, tracking, encryption, quarantining, and destruction. To do this, a culture of protection must be upheld across all areas of the company. Organisations must ensure that security measures are scaled based on potential risk, with one significant risk still present today being outbound comms.

 

How does GDPR affect business-to-consumer communication?

Customer interactions are becoming increasingly digital, thanks to the influence of the pandemic. Businesses are now communicating with consumers online, carrying out KYC and anti-money laundering practices which were previously completed in person. One of the main channels this is conducted through is email, with an estimated 316 billion messages sent and received each day throughout 2021.

While performing essential data collecting processes through emails can offer a greater level of convenience for both firm and client, it does carry a host of GDPR implications.

This is because one key aspect of GDPR legislation is information security, as outlined below:

Personal data shall be ‘'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.'

This covers both physical and cyber measures, with firms needing to have the appropriate security in place to prevent data from being accidentally or purposefully compromised. For the latter, it means protecting your online assets, which can be anything from your website to the emails you exchange with customers, from breaches and cyberattacks.

 

Why does email need to be protected?

Unfortunately, email was never created to be secure. Originally created as a simple file sharing service between students at the Massachusetts Institute of Technology (MIT), email lacks the essential inbuilt security to protect sensitive data contained within from being intercepted or breached.

It is estimated that financial services are 300x more likely to be targeted by cybercriminals due to the amount of sensitive customer data utilised throughout the industry, with 62% of financial services organisations predicting a rise in email threats to come. An email data breach can be extremely detrimental to consumer perceptions of the affected company, damaging its reputation and causing a loss of customers.

As you can imagine, this is bad news for your GDPR compliance if you are using email regularly for sensitive comms. One ICO recommended method of mitigating potential threats is through email encryption.

 

What is email encryption?

Usually working in tandem with authentication technology, email encryption is a vital piece of outbound email security. Encryption involves the scrambling or disguising of emails, ensuring the content is unreadable to unauthorised third parties. There are various types of encryptions used commercially today, such as Transport Layer Security (TLS) and Office Message Encryption (OME), with varying levels of protection. To find out more, you can check out this page.

Mailock, our secure email solution, utilises military-grade, AES-256 level encryption to protect sensitive customer data. Paired with two-factor authentication and email auditing and revoke capabilities, Mailock is the industry standard for outbound email protection. By safeguarding advisers and providers from the harmful effects of a breach, Mailock ensures that firms and enterprises remain GDPR compliant.

Return to listing